Bug ID 1099012
Summary BUG: unable to handle kernel paging request at 000000100000004c in put_css_set_locked
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Kernel
Assignee kernel-maintainers@forge.provo.novell.com
Reporter jslaby@suse.com
QA Contact qa-bugs@suse.de
CC mhocko@suse.com
Found By ---
Blocker --- 

While doing poweroff of a virtual machine with tumbleweed, a crash occurred:
> [  OK  ] Stopped Session c1 of user root.
> BUG: unable to handle kernel paging request at 000000100000004c
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP PTI
> Modules linked in: af_packet iscsi_ibft iscsi_boot_sysfs nls_iso8859_1 nls_cp437 vfat fat snd_hda_codec_generic virtio_gpu ttm snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm drm_kms_helper drm ppdev snd_timer snd fb_sys_fops syscopyarea sysfillrect sysimgblt soundcore joydev pcspkr virtio_input virtio_balloon virtio_net parport_pc i2c_piix4 parport qemu_fw_cfg button ata_generic uhci_hcd ehci_pci ehci_hcd ata_piix usbcore virtio_scsi serio_raw floppy sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua virtio_rng
> CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.17.2-5.g33a2d86-default #1 openSUSE Tumbleweed (unreleased)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
> RIP: 0010:put_css_set_locked+0x7f/0x270
> RSP: 0000:ffffae67806dfda8 EFLAGS: 00010006
> RAX: 0000000fffffffe0 RBX: ffffa03a76ba9cc8 RCX: 0000000000000040
> RDX: ffffa03b015610c8 RSI: 0000000000000000 RDI: ffffa03a76ba9c00
> RBP: ffffa03a76ba9c08 R08: ffffa03b001b47e0 R09: 0000000000000100
> R10: ffffa03b001b4540 R11: ffffa03b001b42a0 R12: ffffa03a76ba9c00
> R13: ffffa03a76ba9d88 R14: dead000000000200 R15: dead000000000100
> FS:  0000000000000000(0000) GS:ffffa03b06880000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000100000004c CR3: 000000004f554000 CR4: 00000000000006e0

The rest of the output was overwritten unfortunately.

But the assembly is:
ffffffff8112d366:       48 8b 43 08             mov    0x8(%rbx),%rax
ffffffff8112d36a:       48 8b 13                mov    (%rbx),%rdx
ffffffff8112d36d:       48 89 42 08             mov    %rax,0x8(%rdx)
ffffffff8112d371:       48 89 10                mov    %rdx,(%rax)
ffffffff8112d374:       4c 89 3b                mov    %r15,(%rbx)
ffffffff8112d377:       4c 89 73 08             mov    %r14,0x8(%rbx)
ffffffff8112d37b:       48 8b 45 00             mov    0x0(%rbp),%rax
ffffffff8112d37f:       f6 40 6c 01             testb  $0x1,0x6c(%rax)

The crash is on the last line. That is
  if (!(css->flags & CSS_NO_REF))
from css_put. I.e. css is garbage (0x0000000fffffffe0). This is called from
put_css_set_locked as:
        for_each_subsys(ss, ssid) {
                list_del(&cset->e_cset_node[ssid]);
                css_put(cset->subsys[ssid]);
        }


According to rdi (holds cset->subsys) and rbp (iterator which is cset->subsys +
ssid), ssid is 1. If I understand correctly, 1 stands for cpu_cgrp_id, so
cset->subsys[cpu_cgrp_id] is the garbage.

You are receiving this mail because: